Russia’s invasion of Ukraine has made cybersecurity threats imminent and added fuel to the geopolitical focus of ransomware gangs. Considering U.S. sanctions against Russia, the possibility of retaliatory cyberattacks by Russian actors or their proxies has significantly increased, putting every U.S. company at risk for a cyberattack.
Russian ransomware gangs directly threatened nations and organizations that retaliate against Moscow for its invasion. The Conti gang, infamous for the cyberattacks on Ireland’s health system, vowed “full support of [the] Russian government” and promised to use “all possible resources to strike back at the critical [infrastructure] of an enemy” that launches “a cyberattack or any war activities against Russia.”
In response, U.S. security officials including the Department of Justice and the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) have issued warnings to companies regarding these cyberattack risks.
How to Protect Your Company and Yourself
To mitigate risk, boards should insist that management develop an IT security program and monitor the reliability of that program. Borrowing from the DOJ’s guidance on how to evaluate the design, implementation, and effective operation of corporate compliance programs in enforcing the U.S. Foreign Corrupt Practices Act, it may be in directors’ best interest to consider the same questions.
These include: Is the compliance program well designed? Is it applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively? Does the compliance program work in practice?
CISA has issued guidance encouraging leadership to take these steps: (i) empower chief information security officers; (ii) lower reporting thresholds; (iii) participate in a test of a response plan; and (iv) focus on continuity.
In addition to the above, the DOJ and Securities and Exchange Commission also consider factors like whether senior management has (i) clearly articulated company standards, (ii) communicated them in unambiguous terms, (iii) adhered to them scrupulously, and (iv) disseminated them throughout the organization.We anticipate stakeholders will be asking similar questions in considering whether corporate boards have fulfilled their fiduciary duties in connection with cyberattacks.
To ensure that the answer to the foregoing questions are “yes,” boards should consider evaluating current cybersecurity systems, adding talent with expertise in this field, and including updates and discussions on cybersecurity in regular meetings.
It is also pertinent to create a crisis preparedness plan. A few of the questions that need to be considered to ensure data security are: (i) Is data backed up? (ii) How do employees communicate or access key data if forced to work offline due to a cyberattack? and (iii) If files are compromised, what procedures are in place for notifying individuals who had information that was part of the breach?
As cybercriminals become more sophisticated and technology changes, the list of procedures that corporations need to have in place to properly protect their clients and employees will continue to grow.
The Impact of a Cyber Breach on Fiduciary Duties
In the wake of geopolitical unrest, directors and executives are faced with an ever-growing data security concern while various state and federal regulatory agencies implement progressively stricter rules around this space.
States have adopted new consumer data privacy regulations, such as the California Consumer Privacy Act (CCPA), which is comparable to Europe’s General Data Protection Regulation (GDPR). Other states, such as New York and Colorado, have also adopted data security requirements.
Recently, in response to the Log4j vulnerability found in commonly used software, the Federal Trade Commission issued a statement saying that it will consider a failure to take steps to mitigate the risk this software poses as “endangering user security.”
Meanwhile, the SEC recently proposed a series of rules and amendments, including requirements for investment advisers and funds, to implement cybersecurity protocols and report cybersecurity incidents.
Given increased cybersecurity risks and regulatory scrutiny, boards of directors should consider how these risks may relate to their oversight responsibilities under the Caremark doctrine. The court in Marchand v. Barnhill, explained that the Caremark doctrine allows directors to be held personally liable for breaching their duty of loyalty if they do not make a “good faith effort to implement an oversight system and then monitor it” regarding “mission critical” risks. The Delaware court has recognized that “[c]ybersecurity has increasingly become a central compliance risk deserving of board level monitoring...”.
As cybersecurity threats increase, boards of directors should be aware of how their enterprises are addressing cybersecurity in risk management, their governance and internal and external reporting structure around cyber and evaluating whether they need to bring on other directors with cybersecurity experience.
As the war between Russia and Ukraine continues to rage on, and U.S. centric hacker groups, such as Anonymous, have made public statements waging a cyberwar on Russia, U.S. based companies are at an ever-increasing risk of cyberattacks. Cybersecurity is in the spotlight in a way the world has never seen before, so it is of the utmost importance that directors and executives take the necessary steps to protect their companies, their stakeholders, and themselves during this time of turmoil.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Cynthia J. Cole is the deputy department chair of the Corporate Section in Baker Botts’ Palo Alto and San Francisco offices. She focuses on corporate, strategic, and technology transactions, data privacy, and cybersecurity.
Danny David is co-chair of Baker Botts’ Litigation department. He specializes in securities litigation and regularly represents companies and directors in securities class actions and fiduciary duty lawsuits in Texas, Delaware, and across the U.S.
Travis Wofford is chair of the Baker Botts Corporate Department in Houston, vice chair of the Global M&A practice, and member of the Securities Opinion Committee. He focuses on mergers and acquisitions, shareholder engagement, and corporate advisory work, and counsels clients on fiduciary duty and corporate governance matters, including controlling stockholder and related party transactions.
Hailey Ullmann is a law clerk at Baker Botts.